You cannot select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
	
	
		
			876 lines
		
	
	
		
			31 KiB
		
	
	
	
		
			Python
		
	
			
		
		
	
	
			876 lines
		
	
	
		
			31 KiB
		
	
	
	
		
			Python
		
	
| # Copyright 2015 The Chromium Authors. All rights reserved.
 | |
| # Use of this source code is governed by a BSD-style license that can be
 | |
| # found in the LICENSE file.
 | |
| 
 | |
| """Google OAuth2 related functions."""
 | |
| 
 | |
| import BaseHTTPServer
 | |
| import collections
 | |
| import datetime
 | |
| import functools
 | |
| import hashlib
 | |
| import json
 | |
| import logging
 | |
| import optparse
 | |
| import os
 | |
| import socket
 | |
| import sys
 | |
| import threading
 | |
| import time
 | |
| import urllib
 | |
| import urlparse
 | |
| import webbrowser
 | |
| 
 | |
| from third_party import httplib2
 | |
| from third_party.oauth2client import client
 | |
| from third_party.oauth2client import multistore_file
 | |
| 
 | |
| 
 | |
| # depot_tools/.
 | |
| DEPOT_TOOLS_DIR = os.path.dirname(os.path.abspath(__file__))
 | |
| 
 | |
| 
 | |
| # Google OAuth2 clients always have a secret, even if the client is an installed
 | |
| # application/utility such as this. Of course, in such cases the "secret" is
 | |
| # actually publicly known; security depends entirely on the secrecy of refresh
 | |
| # tokens, which effectively become bearer tokens. An attacker can impersonate
 | |
| # service's identity in OAuth2 flow. But that's generally fine as long as a list
 | |
| # of allowed redirect_uri's associated with client_id is limited to 'localhost'
 | |
| # or 'urn:ietf:wg:oauth:2.0:oob'. In that case attacker needs some process
 | |
| # running on user's machine to successfully complete the flow and grab refresh
 | |
| # token. When you have a malicious code running on your machine, you're screwed
 | |
| # anyway.
 | |
| # This particular set is managed by API Console project "chrome-infra-auth".
 | |
| OAUTH_CLIENT_ID = (
 | |
|     '446450136466-2hr92jrq8e6i4tnsa56b52vacp7t3936.apps.googleusercontent.com')
 | |
| OAUTH_CLIENT_SECRET = 'uBfbay2KCy9t4QveJ-dOqHtp'
 | |
| 
 | |
| # This is what most GAE apps require for authentication.
 | |
| OAUTH_SCOPE_EMAIL = 'https://www.googleapis.com/auth/userinfo.email'
 | |
| # Gerrit and Git on *.googlesource.com require this scope.
 | |
| OAUTH_SCOPE_GERRIT = 'https://www.googleapis.com/auth/gerritcodereview'
 | |
| # Deprecated. Use OAUTH_SCOPE_EMAIL instead.
 | |
| OAUTH_SCOPES = OAUTH_SCOPE_EMAIL
 | |
| 
 | |
| # Path to a file with cached OAuth2 credentials used by default relative to the
 | |
| # home dir (see _get_token_cache_path). It should be a safe location accessible
 | |
| # only to a current user: knowing content of this file is roughly equivalent to
 | |
| # knowing account password. Single file can hold multiple independent tokens
 | |
| # identified by token_cache_key (see Authenticator).
 | |
| OAUTH_TOKENS_CACHE = '.depot_tools_oauth2_tokens'
 | |
| 
 | |
| 
 | |
| # Authentication configuration extracted from command line options.
 | |
| # See doc string for 'make_auth_config' for meaning of fields.
 | |
| AuthConfig = collections.namedtuple('AuthConfig', [
 | |
|     'use_oauth2', # deprecated, will be always True
 | |
|     'save_cookies', # deprecated, will be removed
 | |
|     'use_local_webserver',
 | |
|     'webserver_port',
 | |
|     'refresh_token_json',
 | |
| ])
 | |
| 
 | |
| 
 | |
| # OAuth access token with its expiration time (UTC datetime or None if unknown).
 | |
| class AccessToken(collections.namedtuple('AccessToken', [
 | |
|     'token',
 | |
|     'expires_at',
 | |
|   ])):
 | |
| 
 | |
|   def needs_refresh(self, now=None):
 | |
|     """True if this AccessToken should be refreshed."""
 | |
|     if self.expires_at is not None:
 | |
|       now = now or datetime.datetime.utcnow()
 | |
|       # Allow 3 min of clock skew between client and backend.
 | |
|       now += datetime.timedelta(seconds=180)
 | |
|       return now >= self.expires_at
 | |
|     # Token without expiration time never expires.
 | |
|     return False
 | |
| 
 | |
| 
 | |
| # Refresh token passed via --auth-refresh-token-json.
 | |
| RefreshToken = collections.namedtuple('RefreshToken', [
 | |
|     'client_id',
 | |
|     'client_secret',
 | |
|     'refresh_token',
 | |
| ])
 | |
| 
 | |
| 
 | |
| class AuthenticationError(Exception):
 | |
|   """Raised on errors related to authentication."""
 | |
| 
 | |
| 
 | |
| class LoginRequiredError(AuthenticationError):
 | |
|   """Interaction with the user is required to authenticate."""
 | |
| 
 | |
|   def __init__(self, token_cache_key):
 | |
|     # HACK(vadimsh): It is assumed here that the token cache key is a hostname.
 | |
|     msg = (
 | |
|         'You are not logged in. Please login first by running:\n'
 | |
|         '  depot-tools-auth login %s' % token_cache_key)
 | |
|     super(LoginRequiredError, self).__init__(msg)
 | |
| 
 | |
| 
 | |
| class LuciContextAuthError(Exception):
 | |
|   """Raised on errors related to unsuccessful attempts to load LUCI_CONTEXT"""
 | |
| 
 | |
|   def __init__(self, msg, exc=None):
 | |
|     if exc is None:
 | |
|       logging.error(msg)
 | |
|     else:
 | |
|       logging.exception(msg)
 | |
|       msg = '%s: %s' % (msg, exc)
 | |
|     super(LuciContextAuthError, self).__init__(msg)
 | |
| 
 | |
| 
 | |
| def has_luci_context_local_auth():
 | |
|   """Returns whether LUCI_CONTEXT should be used for ambient authentication.
 | |
|   """
 | |
|   try:
 | |
|     params = _get_luci_context_local_auth_params()
 | |
|   except LuciContextAuthError:
 | |
|     return False
 | |
|   if params is None:
 | |
|     return False
 | |
|   return bool(params.default_account_id)
 | |
| 
 | |
| 
 | |
| def get_luci_context_access_token(scopes=OAUTH_SCOPE_EMAIL):
 | |
|   """Returns a valid AccessToken from the local LUCI context auth server.
 | |
| 
 | |
|   Adapted from
 | |
|   https://chromium.googlesource.com/infra/luci/luci-py/+/master/client/libs/luci_context/luci_context.py
 | |
|   See the link above for more details.
 | |
| 
 | |
|   Returns:
 | |
|     AccessToken if LUCI_CONTEXT is present and attempt to load it is successful.
 | |
|     None if LUCI_CONTEXT is absent.
 | |
| 
 | |
|   Raises:
 | |
|     LuciContextAuthError if LUCI_CONTEXT is present, but there was a failure
 | |
|     obtaining its access token.
 | |
|   """
 | |
|   params = _get_luci_context_local_auth_params()
 | |
|   if params is None:
 | |
|     return None
 | |
|   return _get_luci_context_access_token(
 | |
|       params, datetime.datetime.utcnow(), scopes)
 | |
| 
 | |
| 
 | |
| _LuciContextLocalAuthParams = collections.namedtuple(
 | |
|   '_LuciContextLocalAuthParams', [
 | |
|     'default_account_id',
 | |
|     'secret',
 | |
|     'rpc_port',
 | |
| ])
 | |
| 
 | |
| 
 | |
| def _cache_thread_safe(f):
 | |
|   """Decorator caching result of nullary function in thread-safe way."""
 | |
|   lock = threading.Lock()
 | |
|   cache = []
 | |
| 
 | |
|   @functools.wraps(f)
 | |
|   def caching_wrapper():
 | |
|     if not cache:
 | |
|       with lock:
 | |
|         if not cache:
 | |
|           cache.append(f())
 | |
|     return cache[0]
 | |
| 
 | |
|   # Allow easy way to clear cache, particularly useful in tests.
 | |
|   caching_wrapper.clear_cache = lambda: cache.pop() if cache else None
 | |
|   return caching_wrapper
 | |
| 
 | |
| 
 | |
| @_cache_thread_safe
 | |
| def _get_luci_context_local_auth_params():
 | |
|   """Returns local auth parameters if local auth is configured else None.
 | |
| 
 | |
|   Raises LuciContextAuthError on unexpected failures.
 | |
|   """
 | |
|   ctx_path = os.environ.get('LUCI_CONTEXT')
 | |
|   if not ctx_path:
 | |
|     return None
 | |
|   ctx_path = ctx_path.decode(sys.getfilesystemencoding())
 | |
|   try:
 | |
|     loaded = _load_luci_context(ctx_path)
 | |
|   except (OSError, IOError, ValueError) as e:
 | |
|     raise LuciContextAuthError('Failed to open, read or decode LUCI_CONTEXT', e)
 | |
|   try:
 | |
|     local_auth = loaded.get('local_auth')
 | |
|   except AttributeError as e:
 | |
|     raise LuciContextAuthError('LUCI_CONTEXT not in proper format', e)
 | |
|   if local_auth is None:
 | |
|     logging.debug('LUCI_CONTEXT configured w/o local auth')
 | |
|     return None
 | |
|   try:
 | |
|     return _LuciContextLocalAuthParams(
 | |
|         default_account_id=local_auth.get('default_account_id'),
 | |
|         secret=local_auth.get('secret'),
 | |
|         rpc_port=int(local_auth.get('rpc_port')))
 | |
|   except (AttributeError, ValueError) as e:
 | |
|     raise LuciContextAuthError('local_auth config malformed', e)
 | |
| 
 | |
| 
 | |
| def _load_luci_context(ctx_path):
 | |
|   # Kept separate for test mocking.
 | |
|   with open(ctx_path) as f:
 | |
|     return json.load(f)
 | |
| 
 | |
| 
 | |
| def _get_luci_context_access_token(params, now, scopes=OAUTH_SCOPE_EMAIL):
 | |
|   # No account, local_auth shouldn't be used.
 | |
|   if not params.default_account_id:
 | |
|     return None
 | |
|   if not params.secret:
 | |
|     raise LuciContextAuthError('local_auth: no secret')
 | |
| 
 | |
|   logging.debug('local_auth: requesting an access token for account "%s"',
 | |
|       params.default_account_id)
 | |
|   http = httplib2.Http()
 | |
|   host = '127.0.0.1:%d' % params.rpc_port
 | |
|   resp, content = http.request(
 | |
|       uri='http://%s/rpc/LuciLocalAuthService.GetOAuthToken' % host,
 | |
|       method='POST',
 | |
|       body=json.dumps({
 | |
|         'account_id': params.default_account_id,
 | |
|         'scopes': scopes.split(' '),
 | |
|         'secret': params.secret,
 | |
|       }),
 | |
|       headers={'Content-Type': 'application/json'})
 | |
|   if resp.status != 200:
 | |
|     raise LuciContextAuthError(
 | |
|         'local_auth: Failed to grab access token from '
 | |
|         'LUCI context server with status %d: %r' % (resp.status, content))
 | |
|   try:
 | |
|     token = json.loads(content)
 | |
|     error_code = token.get('error_code')
 | |
|     error_message = token.get('error_message')
 | |
|     access_token = token.get('access_token')
 | |
|     expiry = token.get('expiry')
 | |
|   except (AttributeError, ValueError) as e:
 | |
|     raise LuciContextAuthError('Unexpected access token response format', e)
 | |
|   if error_code:
 | |
|     raise LuciContextAuthError(
 | |
|         'Error %d in retrieving access token: %s', error_code, error_message)
 | |
|   if not access_token:
 | |
|     raise LuciContextAuthError(
 | |
|         'No access token returned from LUCI context server')
 | |
|   expiry_dt = None
 | |
|   if expiry:
 | |
|     try:
 | |
|       expiry_dt = datetime.datetime.utcfromtimestamp(expiry)
 | |
|       logging.debug(
 | |
|         'local_auth: got an access token for '
 | |
|         'account "%s" that expires in %d sec',
 | |
|         params.default_account_id, (expiry_dt - now).total_seconds())
 | |
|     except (TypeError, ValueError) as e:
 | |
|       raise LuciContextAuthError('Invalid expiry in returned token', e)
 | |
|   else:
 | |
|     logging.debug(
 | |
|         'local auth: got an access token for account "%s" that does not expire',
 | |
|         params.default_account_id)
 | |
|   access_token = AccessToken(access_token, expiry_dt)
 | |
|   if access_token.needs_refresh(now=now):
 | |
|     raise LuciContextAuthError('Received access token is already expired')
 | |
|   return access_token
 | |
| 
 | |
| 
 | |
| def make_auth_config(
 | |
|     use_oauth2=None,
 | |
|     save_cookies=None,
 | |
|     use_local_webserver=None,
 | |
|     webserver_port=None,
 | |
|     refresh_token_json=None):
 | |
|   """Returns new instance of AuthConfig.
 | |
| 
 | |
|   If some config option is None, it will be set to a reasonable default value.
 | |
|   This function also acts as an authoritative place for default values of
 | |
|   corresponding command line options.
 | |
|   """
 | |
|   default = lambda val, d: val if val is not None else d
 | |
|   return AuthConfig(
 | |
|       default(use_oauth2, True),
 | |
|       default(save_cookies, True),
 | |
|       default(use_local_webserver, not _is_headless()),
 | |
|       default(webserver_port, 8090),
 | |
|       default(refresh_token_json, ''))
 | |
| 
 | |
| 
 | |
| def add_auth_options(parser, default_config=None):
 | |
|   """Appends OAuth related options to OptionParser."""
 | |
|   default_config = default_config or make_auth_config()
 | |
|   parser.auth_group = optparse.OptionGroup(parser, 'Auth options')
 | |
|   parser.add_option_group(parser.auth_group)
 | |
| 
 | |
|   # OAuth2 vs password switch.
 | |
|   auth_default = 'use OAuth2' if default_config.use_oauth2 else 'use password'
 | |
|   parser.auth_group.add_option(
 | |
|       '--oauth2',
 | |
|       action='store_true',
 | |
|       dest='use_oauth2',
 | |
|       default=default_config.use_oauth2,
 | |
|       help='Use OAuth 2.0 instead of a password. [default: %s]' % auth_default)
 | |
|   parser.auth_group.add_option(
 | |
|       '--no-oauth2',
 | |
|       action='store_false',
 | |
|       dest='use_oauth2',
 | |
|       default=default_config.use_oauth2,
 | |
|       help='Use password instead of OAuth 2.0. [default: %s]' % auth_default)
 | |
| 
 | |
|   # Password related options, deprecated.
 | |
|   parser.auth_group.add_option(
 | |
|       '--no-cookies',
 | |
|       action='store_false',
 | |
|       dest='save_cookies',
 | |
|       default=default_config.save_cookies,
 | |
|       help='Do not save authentication cookies to local disk.')
 | |
| 
 | |
|   # OAuth2 related options.
 | |
|   parser.auth_group.add_option(
 | |
|       '--auth-no-local-webserver',
 | |
|       action='store_false',
 | |
|       dest='use_local_webserver',
 | |
|       default=default_config.use_local_webserver,
 | |
|       help='Do not run a local web server when performing OAuth2 login flow.')
 | |
|   parser.auth_group.add_option(
 | |
|       '--auth-host-port',
 | |
|       type=int,
 | |
|       default=default_config.webserver_port,
 | |
|       help='Port a local web server should listen on. Used only if '
 | |
|           '--auth-no-local-webserver is not set. [default: %default]')
 | |
|   parser.auth_group.add_option(
 | |
|       '--auth-refresh-token-json',
 | |
|       default=default_config.refresh_token_json,
 | |
|       help='Path to a JSON file with role account refresh token to use.')
 | |
| 
 | |
| 
 | |
| def extract_auth_config_from_options(options):
 | |
|   """Given OptionParser parsed options, extracts AuthConfig from it.
 | |
| 
 | |
|   OptionParser should be populated with auth options by 'add_auth_options'.
 | |
|   """
 | |
|   return make_auth_config(
 | |
|       use_oauth2=options.use_oauth2,
 | |
|       save_cookies=False if options.use_oauth2 else options.save_cookies,
 | |
|       use_local_webserver=options.use_local_webserver,
 | |
|       webserver_port=options.auth_host_port,
 | |
|       refresh_token_json=options.auth_refresh_token_json)
 | |
| 
 | |
| 
 | |
| def auth_config_to_command_options(auth_config):
 | |
|   """AuthConfig -> list of strings with command line options.
 | |
| 
 | |
|   Omits options that are set to default values.
 | |
|   """
 | |
|   if not auth_config:
 | |
|     return []
 | |
|   defaults = make_auth_config()
 | |
|   opts = []
 | |
|   if auth_config.use_oauth2 != defaults.use_oauth2:
 | |
|     opts.append('--oauth2' if auth_config.use_oauth2 else '--no-oauth2')
 | |
|   if auth_config.save_cookies != auth_config.save_cookies:
 | |
|     if not auth_config.save_cookies:
 | |
|       opts.append('--no-cookies')
 | |
|   if auth_config.use_local_webserver != defaults.use_local_webserver:
 | |
|     if not auth_config.use_local_webserver:
 | |
|       opts.append('--auth-no-local-webserver')
 | |
|   if auth_config.webserver_port != defaults.webserver_port:
 | |
|     opts.extend(['--auth-host-port', str(auth_config.webserver_port)])
 | |
|   if auth_config.refresh_token_json != defaults.refresh_token_json:
 | |
|     opts.extend([
 | |
|         '--auth-refresh-token-json', str(auth_config.refresh_token_json)])
 | |
|   return opts
 | |
| 
 | |
| 
 | |
| def get_authenticator_for_host(hostname, config, scopes=OAUTH_SCOPE_EMAIL):
 | |
|   """Returns Authenticator instance to access given host.
 | |
| 
 | |
|   Args:
 | |
|     hostname: a naked hostname or http(s)://<hostname>[/] URL. Used to derive
 | |
|         a cache key for token cache.
 | |
|     config: AuthConfig instance.
 | |
|     scopes: space separated oauth scopes. Defaults to OAUTH_SCOPE_EMAIL.
 | |
| 
 | |
|   Returns:
 | |
|     Authenticator object.
 | |
| 
 | |
|   Raises:
 | |
|     AuthenticationError if hostname is invalid.
 | |
|   """
 | |
|   hostname = hostname.lower().rstrip('/')
 | |
|   # Append some scheme, otherwise urlparse puts hostname into parsed.path.
 | |
|   if '://' not in hostname:
 | |
|     hostname = 'https://' + hostname
 | |
|   parsed = urlparse.urlparse(hostname)
 | |
| 
 | |
|   if parsed.path or parsed.params or parsed.query or parsed.fragment:
 | |
|     raise AuthenticationError(
 | |
|         'Expecting a hostname or root host URL, got %s instead' % hostname)
 | |
|   return Authenticator(parsed.netloc, config, scopes)
 | |
| 
 | |
| 
 | |
| class Authenticator(object):
 | |
|   """Object that knows how to refresh access tokens when needed.
 | |
| 
 | |
|   Args:
 | |
|     token_cache_key: string key of a section of the token cache file to use
 | |
|         to keep the tokens. See hostname_to_token_cache_key.
 | |
|     config: AuthConfig object that holds authentication configuration.
 | |
|   """
 | |
| 
 | |
|   def __init__(self, token_cache_key, config, scopes):
 | |
|     assert isinstance(config, AuthConfig)
 | |
|     assert config.use_oauth2
 | |
|     self._access_token = None
 | |
|     self._config = config
 | |
|     self._lock = threading.Lock()
 | |
|     self._token_cache_key = token_cache_key
 | |
|     self._external_token = None
 | |
|     self._scopes = scopes
 | |
|     if config.refresh_token_json:
 | |
|       self._external_token = _read_refresh_token_json(config.refresh_token_json)
 | |
|     logging.debug('Using auth config %r', config)
 | |
| 
 | |
|   def login(self):
 | |
|     """Performs interactive login flow if necessary.
 | |
| 
 | |
|     Raises:
 | |
|       AuthenticationError on error or if interrupted.
 | |
|     """
 | |
|     if self._external_token:
 | |
|       raise AuthenticationError(
 | |
|           'Can\'t run login flow when using --auth-refresh-token-json.')
 | |
|     return self.get_access_token(
 | |
|         force_refresh=True, allow_user_interaction=True)
 | |
| 
 | |
|   def logout(self):
 | |
|     """Revokes the refresh token and deletes it from the cache.
 | |
| 
 | |
|     Returns True if had some credentials cached.
 | |
|     """
 | |
|     with self._lock:
 | |
|       self._access_token = None
 | |
|       storage = self._get_storage()
 | |
|       credentials = storage.get()
 | |
|       had_creds = bool(credentials)
 | |
|       if credentials and credentials.refresh_token and credentials.revoke_uri:
 | |
|         try:
 | |
|           credentials.revoke(httplib2.Http())
 | |
|         except client.TokenRevokeError as e:
 | |
|           logging.warning('Failed to revoke refresh token: %s', e)
 | |
|       storage.delete()
 | |
|     return had_creds
 | |
| 
 | |
|   def has_cached_credentials(self):
 | |
|     """Returns True if long term credentials (refresh token) are in cache.
 | |
| 
 | |
|     Doesn't make network calls.
 | |
| 
 | |
|     If returns False, get_access_token() later will ask for interactive login by
 | |
|     raising LoginRequiredError.
 | |
| 
 | |
|     If returns True, most probably get_access_token() won't ask for interactive
 | |
|     login, though it is not guaranteed, since cached token can be already
 | |
|     revoked and there's no way to figure this out without actually trying to use
 | |
|     it.
 | |
|     """
 | |
|     with self._lock:
 | |
|       return bool(self._get_cached_credentials())
 | |
| 
 | |
|   def get_access_token(self, force_refresh=False, allow_user_interaction=False,
 | |
|                        use_local_auth=True):
 | |
|     """Returns AccessToken, refreshing it if necessary.
 | |
| 
 | |
|     Args:
 | |
|       force_refresh: forcefully refresh access token even if it is not expired.
 | |
|       allow_user_interaction: True to enable blocking for user input if needed.
 | |
|       use_local_auth: default to local auth if needed.
 | |
| 
 | |
|     Raises:
 | |
|       AuthenticationError on error or if authentication flow was interrupted.
 | |
|       LoginRequiredError if user interaction is required, but
 | |
|           allow_user_interaction is False.
 | |
|     """
 | |
|     def get_loc_auth_tkn():
 | |
|       exi = sys.exc_info()
 | |
|       if not use_local_auth:
 | |
|         logging.error('Failed to create access token')
 | |
|         raise
 | |
|       try:
 | |
|         self._access_token = get_luci_context_access_token()
 | |
|         if not self._access_token:
 | |
|           logging.error('Failed to create access token')
 | |
|           raise
 | |
|         return self._access_token
 | |
|       except LuciContextAuthError:
 | |
|         logging.exception('Failed to use local auth')
 | |
|         raise exi[0], exi[1], exi[2]
 | |
| 
 | |
|     with self._lock:
 | |
|       if force_refresh:
 | |
|         logging.debug('Forcing access token refresh')
 | |
|         try:
 | |
|           self._access_token = self._create_access_token(allow_user_interaction)
 | |
|           return self._access_token
 | |
|         except LoginRequiredError:
 | |
|           return get_loc_auth_tkn()
 | |
| 
 | |
|       # Load from on-disk cache on a first access.
 | |
|       if not self._access_token:
 | |
|         self._access_token = self._load_access_token()
 | |
| 
 | |
|       # Refresh if expired or missing.
 | |
|       if not self._access_token or self._access_token.needs_refresh():
 | |
|         # Maybe some other process already updated it, reload from the cache.
 | |
|         self._access_token = self._load_access_token()
 | |
|         # Nope, still expired, need to run the refresh flow.
 | |
|         if not self._access_token or self._access_token.needs_refresh():
 | |
|           try:
 | |
|             self._access_token = self._create_access_token(
 | |
|                 allow_user_interaction)
 | |
|           except LoginRequiredError:
 | |
|             get_loc_auth_tkn()
 | |
| 
 | |
|       return self._access_token
 | |
| 
 | |
|   def get_token_info(self):
 | |
|     """Returns a result of /oauth2/v2/tokeninfo call with token info."""
 | |
|     access_token = self.get_access_token()
 | |
|     resp, content = httplib2.Http().request(
 | |
|         uri='https://www.googleapis.com/oauth2/v2/tokeninfo?%s' % (
 | |
|             urllib.urlencode({'access_token': access_token.token})))
 | |
|     if resp.status == 200:
 | |
|       return json.loads(content)
 | |
|     raise AuthenticationError('Failed to fetch the token info: %r' % content)
 | |
| 
 | |
|   def authorize(self, http):
 | |
|     """Monkey patches authentication logic of httplib2.Http instance.
 | |
| 
 | |
|     The modified http.request method will add authentication headers to each
 | |
|     request and will refresh access_tokens when a 401 is received on a
 | |
|     request.
 | |
| 
 | |
|     Args:
 | |
|        http: An instance of httplib2.Http.
 | |
| 
 | |
|     Returns:
 | |
|        A modified instance of http that was passed in.
 | |
|     """
 | |
|     # Adapted from oauth2client.OAuth2Credentials.authorize.
 | |
| 
 | |
|     request_orig = http.request
 | |
| 
 | |
|     @functools.wraps(request_orig)
 | |
|     def new_request(
 | |
|         uri, method='GET', body=None, headers=None,
 | |
|         redirections=httplib2.DEFAULT_MAX_REDIRECTS,
 | |
|         connection_type=None):
 | |
|       headers = (headers or {}).copy()
 | |
|       headers['Authorization'] = 'Bearer %s' % self.get_access_token().token
 | |
|       resp, content = request_orig(
 | |
|           uri, method, body, headers, redirections, connection_type)
 | |
|       if resp.status in client.REFRESH_STATUS_CODES:
 | |
|         logging.info('Refreshing due to a %s', resp.status)
 | |
|         access_token = self.get_access_token(force_refresh=True)
 | |
|         headers['Authorization'] = 'Bearer %s' % access_token.token
 | |
|         return request_orig(
 | |
|             uri, method, body, headers, redirections, connection_type)
 | |
|       else:
 | |
|         return (resp, content)
 | |
| 
 | |
|     http.request = new_request
 | |
|     return http
 | |
| 
 | |
|   ## Private methods.
 | |
| 
 | |
|   def _get_storage(self):
 | |
|     """Returns oauth2client.Storage with cached tokens."""
 | |
|     # Do not mix cache keys for different externally provided tokens.
 | |
|     if self._external_token:
 | |
|       token_hash = hashlib.sha1(self._external_token.refresh_token).hexdigest()
 | |
|       cache_key = '%s:refresh_tok:%s' % (self._token_cache_key, token_hash)
 | |
|     else:
 | |
|       cache_key = self._token_cache_key
 | |
|     path = _get_token_cache_path()
 | |
|     logging.debug('Using token storage %r (cache key %r)', path, cache_key)
 | |
|     return multistore_file.get_credential_storage_custom_string_key(
 | |
|         path, cache_key)
 | |
| 
 | |
|   def _get_cached_credentials(self):
 | |
|     """Returns oauth2client.Credentials loaded from storage."""
 | |
|     storage = self._get_storage()
 | |
|     credentials = storage.get()
 | |
| 
 | |
|     if not credentials:
 | |
|       logging.debug('No cached token')
 | |
|     else:
 | |
|       _log_credentials_info('cached token', credentials)
 | |
| 
 | |
|     # Is using --auth-refresh-token-json?
 | |
|     if self._external_token:
 | |
|       # Cached credentials are valid and match external token -> use them. It is
 | |
|       # important to reuse credentials from the storage because they contain
 | |
|       # cached access token.
 | |
|       valid = (
 | |
|           credentials and not credentials.invalid and
 | |
|           credentials.refresh_token == self._external_token.refresh_token and
 | |
|           credentials.client_id == self._external_token.client_id and
 | |
|           credentials.client_secret == self._external_token.client_secret)
 | |
|       if valid:
 | |
|         logging.debug('Cached credentials match external refresh token')
 | |
|         return credentials
 | |
|       # Construct new credentials from externally provided refresh token,
 | |
|       # associate them with cache storage (so that access_token will be placed
 | |
|       # in the cache later too).
 | |
|       logging.debug('Putting external refresh token into the cache')
 | |
|       credentials = client.OAuth2Credentials(
 | |
|           access_token=None,
 | |
|           client_id=self._external_token.client_id,
 | |
|           client_secret=self._external_token.client_secret,
 | |
|           refresh_token=self._external_token.refresh_token,
 | |
|           token_expiry=None,
 | |
|           token_uri='https://accounts.google.com/o/oauth2/token',
 | |
|           user_agent=None,
 | |
|           revoke_uri=None)
 | |
|       credentials.set_store(storage)
 | |
|       storage.put(credentials)
 | |
|       return credentials
 | |
| 
 | |
|     # Not using external refresh token -> return whatever is cached.
 | |
|     return credentials if (credentials and not credentials.invalid) else None
 | |
| 
 | |
|   def _load_access_token(self):
 | |
|     """Returns cached AccessToken if it is not expired yet."""
 | |
|     logging.debug('Reloading access token from cache')
 | |
|     creds = self._get_cached_credentials()
 | |
|     if not creds or not creds.access_token or creds.access_token_expired:
 | |
|       logging.debug('Access token is missing or expired')
 | |
|       return None
 | |
|     return AccessToken(str(creds.access_token), creds.token_expiry)
 | |
| 
 | |
|   def _create_access_token(self, allow_user_interaction=False):
 | |
|     """Mints and caches a new access token, launching OAuth2 dance if necessary.
 | |
| 
 | |
|     Uses cached refresh token, if present. In that case user interaction is not
 | |
|     required and function will finish quietly. Otherwise it will launch 3-legged
 | |
|     OAuth2 flow, that needs user interaction.
 | |
| 
 | |
|     Args:
 | |
|       allow_user_interaction: if True, allow interaction with the user (e.g.
 | |
|           reading standard input, or launching a browser).
 | |
| 
 | |
|     Returns:
 | |
|       AccessToken.
 | |
| 
 | |
|     Raises:
 | |
|       AuthenticationError on error or if authentication flow was interrupted.
 | |
|       LoginRequiredError if user interaction is required, but
 | |
|           allow_user_interaction is False.
 | |
|     """
 | |
|     logging.debug(
 | |
|         'Making new access token (allow_user_interaction=%r)',
 | |
|         allow_user_interaction)
 | |
|     credentials = self._get_cached_credentials()
 | |
| 
 | |
|     # 3-legged flow with (perhaps cached) refresh token.
 | |
|     refreshed = False
 | |
|     if credentials and not credentials.invalid:
 | |
|       try:
 | |
|         logging.debug('Attempting to refresh access_token')
 | |
|         credentials.refresh(httplib2.Http())
 | |
|         _log_credentials_info('refreshed token', credentials)
 | |
|         refreshed = True
 | |
|       except client.Error as err:
 | |
|         logging.warning(
 | |
|             'OAuth error during access token refresh (%s). '
 | |
|             'Attempting a full authentication flow.', err)
 | |
| 
 | |
|     # Refresh token is missing or invalid, go through the full flow.
 | |
|     if not refreshed:
 | |
|       # Can't refresh externally provided token.
 | |
|       if self._external_token:
 | |
|         raise AuthenticationError(
 | |
|             'Token provided via --auth-refresh-token-json is no longer valid.')
 | |
|       if not allow_user_interaction:
 | |
|         logging.debug('Requesting user to login')
 | |
|         raise LoginRequiredError(self._token_cache_key)
 | |
|       logging.debug('Launching OAuth browser flow')
 | |
|       credentials = _run_oauth_dance(self._config, self._scopes)
 | |
|       _log_credentials_info('new token', credentials)
 | |
| 
 | |
|     logging.info(
 | |
|         'OAuth access_token refreshed. Expires in %s.',
 | |
|         credentials.token_expiry - datetime.datetime.utcnow())
 | |
|     storage = self._get_storage()
 | |
|     credentials.set_store(storage)
 | |
|     storage.put(credentials)
 | |
|     return AccessToken(str(credentials.access_token), credentials.token_expiry)
 | |
| 
 | |
| 
 | |
| ## Private functions.
 | |
| 
 | |
| 
 | |
| def _get_token_cache_path():
 | |
|   # On non Win just use HOME.
 | |
|   if sys.platform != 'win32':
 | |
|     return os.path.join(os.path.expanduser('~'), OAUTH_TOKENS_CACHE)
 | |
|   # Prefer USERPROFILE over HOME, since HOME is overridden in
 | |
|   # git-..._bin/cmd/git.cmd to point to depot_tools. depot-tools-auth.py script
 | |
|   # (and all other scripts) doesn't use this override and thus uses another
 | |
|   # value for HOME. git.cmd doesn't touch USERPROFILE though, and usually
 | |
|   # USERPROFILE == HOME on Windows.
 | |
|   if 'USERPROFILE' in os.environ:
 | |
|     return os.path.join(os.environ['USERPROFILE'], OAUTH_TOKENS_CACHE)
 | |
|   return os.path.join(os.path.expanduser('~'), OAUTH_TOKENS_CACHE)
 | |
| 
 | |
| 
 | |
| def _is_headless():
 | |
|   """True if machine doesn't seem to have a display."""
 | |
|   return sys.platform == 'linux2' and not os.environ.get('DISPLAY')
 | |
| 
 | |
| 
 | |
| def _read_refresh_token_json(path):
 | |
|   """Returns RefreshToken by reading it from the JSON file."""
 | |
|   try:
 | |
|     with open(path, 'r') as f:
 | |
|       data = json.load(f)
 | |
|       return RefreshToken(
 | |
|           client_id=str(data.get('client_id', OAUTH_CLIENT_ID)),
 | |
|           client_secret=str(data.get('client_secret', OAUTH_CLIENT_SECRET)),
 | |
|           refresh_token=str(data['refresh_token']))
 | |
|   except (IOError, ValueError) as e:
 | |
|     raise AuthenticationError(
 | |
|         'Failed to read refresh token from %s: %s' % (path, e))
 | |
|   except KeyError as e:
 | |
|     raise AuthenticationError(
 | |
|         'Failed to read refresh token from %s: missing key %s' % (path, e))
 | |
| 
 | |
| 
 | |
| def _log_credentials_info(title, credentials):
 | |
|   """Dumps (non sensitive) part of client.Credentials object to debug log."""
 | |
|   if credentials:
 | |
|     logging.debug('%s info: %r', title, {
 | |
|         'access_token_expired': credentials.access_token_expired,
 | |
|         'has_access_token': bool(credentials.access_token),
 | |
|         'invalid': credentials.invalid,
 | |
|         'utcnow': datetime.datetime.utcnow(),
 | |
|         'token_expiry': credentials.token_expiry,
 | |
|     })
 | |
| 
 | |
| 
 | |
| def _run_oauth_dance(config, scopes):
 | |
|   """Perform full 3-legged OAuth2 flow with the browser.
 | |
| 
 | |
|   Returns:
 | |
|     oauth2client.Credentials.
 | |
| 
 | |
|   Raises:
 | |
|     AuthenticationError on errors.
 | |
|   """
 | |
|   flow = client.OAuth2WebServerFlow(
 | |
|       OAUTH_CLIENT_ID,
 | |
|       OAUTH_CLIENT_SECRET,
 | |
|       scopes,
 | |
|       approval_prompt='force')
 | |
| 
 | |
|   use_local_webserver = config.use_local_webserver
 | |
|   port = config.webserver_port
 | |
|   if config.use_local_webserver:
 | |
|     success = False
 | |
|     try:
 | |
|       httpd = _ClientRedirectServer(('localhost', port), _ClientRedirectHandler)
 | |
|     except socket.error:
 | |
|       pass
 | |
|     else:
 | |
|       success = True
 | |
|     use_local_webserver = success
 | |
|     if not success:
 | |
|       print(
 | |
|         'Failed to start a local webserver listening on port %d.\n'
 | |
|         'Please check your firewall settings and locally running programs that '
 | |
|         'may be blocking or using those ports.\n\n'
 | |
|         'Falling back to --auth-no-local-webserver and continuing with '
 | |
|         'authentication.\n' % port)
 | |
| 
 | |
|   if use_local_webserver:
 | |
|     oauth_callback = 'http://localhost:%s/' % port
 | |
|   else:
 | |
|     oauth_callback = client.OOB_CALLBACK_URN
 | |
|   flow.redirect_uri = oauth_callback
 | |
|   authorize_url = flow.step1_get_authorize_url()
 | |
| 
 | |
|   if use_local_webserver:
 | |
|     webbrowser.open(authorize_url, new=1, autoraise=True)
 | |
|     print(
 | |
|       'Your browser has been opened to visit:\n\n'
 | |
|       '    %s\n\n'
 | |
|       'If your browser is on a different machine then exit and re-run this '
 | |
|       'application with the command-line parameter\n\n'
 | |
|       '  --auth-no-local-webserver\n' % authorize_url)
 | |
|   else:
 | |
|     print(
 | |
|       'Go to the following link in your browser:\n\n'
 | |
|       '    %s\n' % authorize_url)
 | |
| 
 | |
|   try:
 | |
|     code = None
 | |
|     if use_local_webserver:
 | |
|       httpd.handle_request()
 | |
|       if 'error' in httpd.query_params:
 | |
|         raise AuthenticationError(
 | |
|             'Authentication request was rejected: %s' %
 | |
|             httpd.query_params['error'])
 | |
|       if 'code' not in httpd.query_params:
 | |
|         raise AuthenticationError(
 | |
|             'Failed to find "code" in the query parameters of the redirect.\n'
 | |
|             'Try running with --auth-no-local-webserver.')
 | |
|       code = httpd.query_params['code']
 | |
|     else:
 | |
|       code = raw_input('Enter verification code: ').strip()
 | |
|   except KeyboardInterrupt:
 | |
|     raise AuthenticationError('Authentication was canceled.')
 | |
| 
 | |
|   try:
 | |
|     return flow.step2_exchange(code)
 | |
|   except client.FlowExchangeError as e:
 | |
|     raise AuthenticationError('Authentication has failed: %s' % e)
 | |
| 
 | |
| 
 | |
| class _ClientRedirectServer(BaseHTTPServer.HTTPServer):
 | |
|   """A server to handle OAuth 2.0 redirects back to localhost.
 | |
| 
 | |
|   Waits for a single request and parses the query parameters
 | |
|   into query_params and then stops serving.
 | |
|   """
 | |
|   query_params = {}
 | |
| 
 | |
| 
 | |
| class _ClientRedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 | |
|   """A handler for OAuth 2.0 redirects back to localhost.
 | |
| 
 | |
|   Waits for a single request and parses the query parameters
 | |
|   into the servers query_params and then stops serving.
 | |
|   """
 | |
| 
 | |
|   def do_GET(self):
 | |
|     """Handle a GET request.
 | |
| 
 | |
|     Parses the query parameters and prints a message
 | |
|     if the flow has completed. Note that we can't detect
 | |
|     if an error occurred.
 | |
|     """
 | |
|     self.send_response(200)
 | |
|     self.send_header('Content-type', 'text/html')
 | |
|     self.end_headers()
 | |
|     query = self.path.split('?', 1)[-1]
 | |
|     query = dict(urlparse.parse_qsl(query))
 | |
|     self.server.query_params = query
 | |
|     self.wfile.write('<html><head><title>Authentication Status</title></head>')
 | |
|     self.wfile.write('<body><p>The authentication flow has completed.</p>')
 | |
|     self.wfile.write('</body></html>')
 | |
| 
 | |
|   def log_message(self, _format, *args):
 | |
|     """Do not log messages to stdout while running as command line program."""
 |